9SrSSKrSSKrSSKrSSKrSSKJr SSKJr SSK J r SSK r Sr 1Skr SrS r"S S \R 5r"S S \5r"SS\5r"SS\5r"SS\5rSr"SS\ R,"\R.\55r"SS\5r"SS\5r"SS\5r"SS\5rS+Sjr"S S!\5r"S"S#\5r S$r!S%r"S&r#S'r$S(r%S)r&S*r'g),zAUtility functions for managing customer supplied encryption keys.N) exceptions) resources) console_iozHhttps://cloud.google.com/compute/docs/disks/customer-supplied-encryption>keyurikey-type,iXc\rSrSrSrSrg)Error#zFBase exception for Csek(customer supplied encryption keys) exceptions.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r 0lib/googlecloudsdk/api_lib/compute/csek_utils.pyr r #sNrr c,^\rSrSrSrU4SjrSrU=r$)InvalidKeyFileException'z!There's a problem in a CSEK file.cJ>[[U] SRU55 g)Nz{0} For information on proper key file format see: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file)superr__init__format)self base_message __class__s rr InvalidKeyFileException.__init__*s# !41 006|0DFrr rrrrrrr __classcell__rs@rrr's)FFrrc,^\rSrSrSrU4SjrSrU=r$)BadPatternException1z$A (e.g.) url pattern is bad and why.c>XlX l[[U]SR URUR55 g)Nz&Invalid value for [{0}] pattern: [{1}]) pattern_typepatternrr%rr)rr(r)rs rrBadPatternException.__init__4s<$L t-077    LL r)r)r(r!r#s@rr%r%1s,rr%c,^\rSrSrSrU4SjrSrU=r$)InvalidKeyExceptionNoContext=z.Indicate that a particular key is bad and why.c>XlX l[[U]SR URUR55 g)NzInvalid key, [{0}] : {1})rissuerr,rr)rrr/rs rr%InvalidKeyExceptionNoContext.__init__@s9HJ &6")) HH JJ r)r/rr!r#s@rr,r,=s6rr,c,^\rSrSrSrU4SjrSrU=r$)InvalidKeyExceptionIz6Indicate that a particular key is bad, why, and where.c>XlX lX0l[[U]SR URURUR55 g)Nz"Invalid key, [{0}], for [{1}]: {2})rkey_idr/rr2rr)rrr5r/rs rrInvalidKeyException.__init__LsEHKJ t-,33 HH KK JJ r)r/rr5r!r#s@rr2r2Is>rr2c US:a[SRU55e[U5U:wa%[USRU[U555eUSS:wa [US5eUR S5n[ R"S U5(d [US 5e[R"U5 g ![ a [US5ef=f![a*n[US RUR55eS nAff=f) zFValidateKey(s, k) returns None or raises InvalidKeyExceptionNoContext.z6ValidateKey requires expected_key_length > 1. Got {0}zTKey should contain {0} characters (including padding), but is [{1}] characters long.=z4Bad padding. Keys should end with an '=' character.asciiz"Key contains non-ascii characters.z^[a-zA-Z0-9+/=]*$zKey contains unexpected characters. Base64 encoded strings contain only letters (upper or lower case), numbers, plusses '+', slashes '/', or equality signs '='.zKey is not valid base64: [{0}].N) ValueErrorrlenr,encodeUnicodeDecodeErrorrematchbase64 b64decode TypeErrormessage)base64_encoded_stringexpected_key_lengthbase64_encoded_string_as_strts r ValidateKeyrJWs51 Mf01 33 #66 & ((.  % &)( ))2#% &@ BB.#8#?#?#H &(= > > &$ A BB = 12 . &, ... = &)00; ===s$+B<%C<C D  %DD c\rSrSrSrSr\S Sj5r\RS5r \RS5r \ S5r Srg ) CsekKeyBasez#A class representing for CSEK keys.c>[XR5S9 Xlg)N)rG)rJ GetKeyLength _key_material)r key_materials rrCsekKeyBase.__init__s 2C2C2EF%rcUS:Xa [U5$US:XaU(a [U5$[US5e[U5e)a\Make a CSEK key. Args: key_material: str, the key material for this key key_type: str, the type of this key allow_rsa_encrypted: bool, whether the key is allowed to be RSA-wrapped Returns: CsekRawKey or CsekRsaEncryptedKey derived from the given key material and type. Raises: BadKeyTypeException: if the key is not a valid key type rawz rsa-encryptedzLthis feature is only allowed in the alpha and beta versions of this command.) CsekRawKeyCsekRsaEncryptedKeyBadKeyTypeExceptionrQkey_typeallow_rsa_encrypteds rMakeKeyCsekKeyBase.MakeKeysO"5  %%?" "<00     h ''rc[S5e)Nz"GetKeyLength() must be overridden.NotImplementedErrorrs rrOCsekKeyBase.GetKeyLengths B CCrcA[S5e)NzToMessage() must be overridden.r^rcompute_clients r ToMessageCsekKeyBase.ToMessages ? @@rcUR$NrPr`s rrQCsekKeyBase.key_materials   rriNF)rrrrrr staticmethodr[abcabstractmethodrOrepropertyrQrr rrrLrLsj+&((:DDAA  rrLc$\rSrSrSrSrSrSrg)rUz!Class representing raw CSEK keys.c[$rh)BASE64_RAW_KEY_LENGTH_IN_CHARSr`s rrOCsekRawKey.GetKeyLengths ))rcZURR[UR5S9$)N)rawKeyMESSAGES_MODULECustomerEncryptionKeystrrQrcs rreCsekRawKey.ToMessages/  ) ) ? ?4$$% @ ''rr NrrrrrrOrerr rrrUrUs)*'rrUc$\rSrSrSrSrSrSrg)rVz+Class representing rsa encrypted CSEK keys.c[$rh)(BASE64_RSA_ENCRYPTED_KEY_LENGTH_IN_CHARSr`s rrO CsekRsaEncryptedKey.GetKeyLengths 33rcZURR[UR5S9$)N)rsaEncryptedKeyrwrcs rreCsekRsaEncryptedKey.ToMessages/  ) ) ? ?D--. @ 00rr Nr|r rrrVrVs340rrVc0^\rSrSrSrSU4SjjrSrU=r$)rWzA key type is bad and why.c>XlSRUR5nU(aUSU-- nUS- n[[U]U5 g)NzInvalid key type [{0}]z: .)rYrrrWr)rrY explanationmsgrs rrBadKeyTypeException.__init__sGM " ) )$-- 8C TK c3JC t-c2r)rY)r!r#s@rrWrWs"33rrWc(^\rSrSrU4SjrSrU=r$)MissingCsekExceptioncJ>[[U] SRU55 g)Nz0Key required for resource [{0}], but none found.)rrrr)rresourcers rrMissingCsekException.__init__s" .:AA(KMrr )rrrrrrr"r#s@rrrsMMrrc URSSSRU[S9S9 U(a%URSSSS RU[S9S 9 g g ) z$Adds arguments related to csek keys.z--csek-key-fileFILEaA Path to a Customer-Supplied Encryption Key (CSEK) key file that maps Compute Engine {resource}s to user managed keys to be used when creating, mounting, or taking snapshots of disks. If you pass `-` as value of the flag, the CSEK is read from stdin. See {csek_help} for more details. )r csek_help)metavarhelpz--require-csek-key-create store_trueTa Refuse to create {resource}s not protected by a user managed key in the key file when --csek-key-file is given. This behavior is enabled by default to prevent incorrect gcloud invocations from accidentally creating {resource}s with no user managed key. Disabling the check allows creation of some {resource}s without a matching Customer-Supplied Encryption Key in the supplied --csek-key-file. See {csek_help} for more details. )actiondefaultrN) add_argumentr CSEK_HELP_URL)parserflags_about_creation resource_types rAddCsekKeyArgsrsm  &-=& A C #  FM]F C Erc*\rSrSrSrSrSrSrSrg) UriPatternzCA uri-based pattern that maybe be matched against resource objects.cURS5(d [SU5e[RR U5R 5Ulg)Nhttpr) startswithr%rREGISTRYParseURL RelativeName_path_as_string)rpath_as_strings rrUriPattern.__init__sF  $ $V , , ~ 66$--66$  rc<URUR5:H$)z*Tests if its argument matches the pattern.)rr)rrs rMatchesUriPattern.Matchess   8#8#8#: ::rc SUR-$)Nz Uri Pattern: rr`s r__str__UriPattern.__str__s T11 11rrN) rrrrrrrrrr rrrrsK' ;2rrcj\rSrSrSr\S5r\S Sj5r\S Sj5r Sr S Sjr S Sjr S r g ) CsekKeyStorei z0Represents a map from resource patterns to keys.c<[R"USS9nU"X25$)aFromFile loads a CsekKeyStore from a file. Args: fname: str, the name of a file intended to contain a well-formed key file allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if found Raises: googlecloudsdk.core.util.files.Error: If the file cannot be read or is larger than max_bytes. F)binary)rReadFromFileOrStdin)clsfnamerZcontents rFromFileCsekKeyStore.FromFiles! ,,U5AG w ,,rc^URcg[RURU5$)aFromFile attempts to load a CsekKeyStore from a command's args. Args: args: CLI args with a csek_key_file field set allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if a valid key file name is provided as csek_key_file None, if args.csek_key_file is None Raises: exceptions.BadFileException: there's a problem reading fname exceptions.InvalidKeyFileException: the key file failed to parse or was otherwise invalid N) csek_key_filerr)argsrZs rFromArgsCsekKeyStore.FromArgs&s-" !   !3!35H IIrc F[U[R5(de0n[R"U5n[U[ 5(d [ S5eUHn[U[5(d.[ SR[R"U555e[UR55[:waB[ SR[R"U5SR[555e[US5n[R!USUSUS9X%'M [U[5(deU$!["a#n[%UR&XVR(S 9eS nAff=f![*an[ UR,6eS nAff=f) a_ParseAndValidate(s) inteprets s as a csek key file. Args: s: str, an input to parse allow_rsa_encrypted: bool, whether to allow RSA-wrapped keys Returns: a valid state object Raises: InvalidKeyFileException: if the input doesn't parse or is not well-formed. z1Key file's top-level element must be a JSON list.z7Key file records must be JSON objects, but [{0}] found.z4Record [{0}] has incorrect json keys; [{1}] expected,rrrrX)rr5r/N) isinstancesix string_typesjsonloadslistrdictrdumpssetkeysEXPECTED_RECORD_KEY_KEYSjoinrrLr[r,r2rr/r<r)srZstaterecords key_recordr)es r_ParseAndValidateCsekKeyStore._ParseAndValidate<s a)) * ** * E- 1 g  & &% @B B **d++'GNN**Z(*+ + z !%= ='DKK**Z(((3467 7 Z./ N&..%e,z*7M"5/7%. 0 eT " "" " L, N#gWWM M N - #QVV ,,-s<C/E?E2E? E<E77E<<E?? F  FF c,[UR5$rh)r=rr`s r__len__CsekKeyStore.__len__ps tzz?rc n[UR[5(deSn[R"UR5HRupEUR U5(dMUS(a([ SRUSU[U555eXE4nMT U(aUSc [U5eUS$)aSearch for the unique key corresponding to a given resource. Args: resource: the resource to find a key for. raise_if_missing: bool, raise an exception if the resource is not found. Returns: CsekKeyBase, corresponding to the resource, or None if not found and not raise_if_missing. Raises: InvalidKeyFileException: if there are two records matching the resource. MissingCsekException: if raise_if_missing and no key is found for the provided resource. )NNrzEUri patterns [{0}] and [{1}] both match resource [{2}]. Bailing out.r8) rrrr iteritemsrrrrzr)rrraise_if_missing search_statepatrs r LookupKeyCsekKeyStore.LookupKeyss djj$ ' '' 'LMM$**- X   ?'..4fq/3H /78 8 z .\!_4  ** ?rc:[RUU5Ulgrh)rrr)r json_stringrZs rrCsekKeyStore.__init__s// 0CEDJr)rNrk)rrrrr classmethodrrlrrrrrrr rrrr sU8 --$JJ*11f DErrc6U(aURU5$S$rh)re)csek_key_or_nonecomputes rMaybeToMessagers0@  # #G ,JdJrcBU(aU(aURU5$grh)r)csek_keys_or_noners rMaybeLookupKeyrs8  & &x 00 rc.[X5n[X25$rh)rr)rrrd maybe_keys rMaybeLookupKeyMessagers.9)  22rcDUVs/sHn[X5PM sn$s snfrh)r)rresource_collectionrs rMaybeLookupKeysrs"8K L8K1.* .8K LL LscV[X5Vs/sHn[X25PM sn$s snfrh)rr)rrrdks rMaybeLookupKeyMessagesrs8 + A C A12. + A CC Cs&c t[UUVs/sHo3(aURU5OSPM sn5$s snfrh)rParse)rrurisus rMaybeLookupKeysByUrirs6 156A1 Q$&6 886s#5 cX[XU5Vs/sHn[XC5PM sn$s snfrh)rr)rrrrdrs rMaybeLookupKeyMessagesByUrirs: 0$ ? A ?12. + ? AA As')Tr)(rrmrBrr@googlecloudsdk.api_lib.computergooglecloudsdk.corergooglecloudsdk.core.consolerrrrrsrr rr%r,r2rJwith_metaclassABCMetaobjectrLrUrVrWrrrrrrrrrrrr rrrs(H 5)2 0 5!#+.(OJ  OFeF 1  #:  1 '=T0#$$S[[&90f''0+0 31 3M5ME<22"KE6KEbK3 MC 8 Ar